The Problem Every SOC analyst and MSP team I've talked to has the same complaint: "We get 200 alerts a day. Maybe 10 are real. But someone has to check all 200." That's alert fatigue. And it's not a small problem — the average analyst spends 3-5 hours daily on manual triage. Most of that time is wasted on false positives. I decided to build something to fix this. Two weeks later, I had a working MVP. Here's exactly how I built it. The Architecture The system has 4 main components: Alert Input (Defender/SentinelOne/JSON) ↓ Alert Normalizer ↓ LangGraph Triage Agent ├── Enrich Node (VirusTotal + MITRE ATT&CK) ├── Analyze Node (LLM risk scoring) └── Human-in-the-Loop Node (Critical alerts) ↓ Output (Risk Score + Slack + Audit Log) Enter fullscreen mode Exit fullscreen mode Step 1: Alert Normalizer The first challenge: every security tool outputs alerts in a different format. Defender looks different from SentinelOne, which looks different from a generic SIEM.…